An update for eap7-jboss-ec2-eap is now available for Red Hat JBossEnterprise Application Platform 7.0 for RHEL 6 and Red Hat JBoss EnterpriseApplication Platform 7.0 for RHEL 7.

Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

With this update, the eap7-jboss-ec2-eap package has been updated to ensurecompatibility with Red Hat JBoss Enterprise Application Platform 7.0.7.

Refer to the JBoss Enterprise Application Platform 7.0.7 Release Notes,linked to in the References section, for information on the mostsignificant bug fixes and enhancements included in this release.

Security Fix(es):

* A deserialization flaw was discovered in jackson-databind which couldallow an unauthenticated user to perform code execution by sendingmaliciously crafted input to the readValue method of the ObjectMapper.(CVE-2017-7525)

* It was found that use of a JMS ObjectMessage does not safely handleuser-supplied data when deserializing objects. A remote attacker could usethis flaw to execute arbitrary code with the permissions of the applicationusing the JMS ObjectMessage. (CVE-2016-4978)

Red Hat would like to thank Liao Xinxi (NSFOCUS) for reportingCVE-2017-7525.